if (smtp_load_reserve >= 0)
{
load_average = OS_GETLOADAVG();
- if (smtp_reserve_hosts == NULL && load_average > smtp_load_reserve)
+ if (!smtp_reserve_hosts && load_average > smtp_load_reserve)
{
DEBUG(D_any) debug_printf("rejecting SMTP connection: load average = %.2f\n",
(double)load_average/1000.0);
{
uschar *list = hosts_connection_nolog;
memset(sender_host_cache, 0, sizeof(sender_host_cache));
- if (list != NULL && verify_check_host(&list) == OK)
+ if (list && verify_check_host(&list) == OK)
save_log_selector &= ~L_smtp_connection;
else
log_write(L_smtp_connection, LOG_MAIN, "SMTP connection from %s "
int save_debug_selector = debug_selector;
BOOL local_queue_only;
BOOL session_local_queue_only;
- #ifdef SA_NOCLDWAIT
+#ifdef SA_NOCLDWAIT
struct sigaction act;
- #endif
+#endif
smtp_accept_count++; /* So that it includes this process */
+ /* If the listen backlog was over the monitoring level, log it. */
+
+ if (smtp_listen_backlog > smtp_backlog_monitor)
+ log_write(0, LOG_MAIN, "listen backlog %d I=[%s]:%d",
+ smtp_listen_backlog, interface_address, interface_port);
+
/* May have been modified for the subprocess */
*log_selector = save_log_selector;
(void)fcntl(dup_accept_socket, F_SETFD,
fcntl(dup_accept_socket, F_GETFD) | FD_CLOEXEC);
- #ifdef SA_NOCLDWAIT
+#ifdef SA_NOCLDWAIT
act.sa_handler = SIG_IGN;
sigemptyset(&(act.sa_mask));
act.sa_flags = SA_NOCLDWAIT;
sigaction(SIGCHLD, &act, NULL);
- #else
+#else
signal(SIGCHLD, SIG_IGN);
- #endif
+#endif
signal(SIGTERM, SIG_DFL);
+ signal(SIGINT, SIG_DFL);
/* Attempt to get an id from the sending machine via the RFC 1413
protocol. We do this in the sub-process in order not to hold up the
(void)fclose(smtp_in);
(void)close(fileno(smtp_out));
(void)fclose(smtp_out);
+ smtp_in = smtp_out = NULL;
/* Don't ever molest the parent's SSL connection, but do clean up
the data structures if necessary. */
signal(SIGHUP, SIG_DFL);
signal(SIGCHLD, SIG_DFL);
signal(SIGTERM, SIG_DFL);
+ signal(SIGINT, SIG_DFL);
if (geteuid() != root_uid && !deliver_drop_privilege)
{
}
-
static void
set_pid_file_path(void)
{
if (!*pid_file_path)
pid_file_path = string_sprintf("%s/exim-daemon.pid", spool_directory);
+
+if (pid_file_path[0] != '/')
+ log_write(0, LOG_PANIC_DIE, "pid file path %s must be absolute\n", pid_file_path);
}
-/* Remove the daemon's pidfile. Note: runs with root privilege,
-as a direct child of the daemon. Does not return. */
+enum pid_op { PID_WRITE, PID_CHECK, PID_DELETE };
-void
-delete_pid_file(void)
+/* Do various pid file operations as safe as possible. Ideally we'd just
+drop the privileges for creation of the pid file and not care at all about removal of
+the file. FIXME.
+Returns: true on success, false + errno==EACCES otherwise
+*/
+
+static BOOL
+operate_on_pid_file(const enum pid_op operation, const pid_t pid)
{
-uschar * daemon_pid = string_sprintf("%d\n", (int)getppid());
-FILE * f;
+char pid_line[sizeof(int) * 3 + 2];
+const int pid_len = snprintf(pid_line, sizeof(pid_line), "%d\n", (int)pid);
+BOOL lines_match = FALSE;
+uschar * path, * base, * dir;
+
+const int dir_flags = O_RDONLY | O_NONBLOCK;
+const int base_flags = O_NOFOLLOW | O_NONBLOCK;
+const mode_t base_mode = 0644;
+struct stat sb;
+int cwd_fd = -1, dir_fd = -1, base_fd = -1;
+BOOL success = FALSE;
+errno = EACCES;
set_pid_file_path();
-if ((f = Ufopen(pid_file_path, "rb")))
+if (!f.running_in_test_harness && real_uid != root_uid && real_uid != exim_uid) goto cleanup;
+if (pid_len < 2 || pid_len >= (int)sizeof(pid_line)) goto cleanup;
+
+path = string_copy(pid_file_path);
+if ((base = Ustrrchr(path, '/')) == NULL) /* should not happen, but who knows */
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE, "pid file path \"%s\" does not contain a '/'", pid_file_path);
+
+dir = base != path ? path : US"/";
+*base++ = '\0';
+
+if (!dir || !*dir || *dir != '/') goto cleanup;
+if (!base || !*base || Ustrchr(base, '/') != NULL) goto cleanup;
+
+cwd_fd = open(".", dir_flags);
+if (cwd_fd < 0 || fstat(cwd_fd, &sb) != 0 || !S_ISDIR(sb.st_mode)) goto cleanup;
+dir_fd = open(CS dir, dir_flags);
+if (dir_fd < 0 || fstat(dir_fd, &sb) != 0 || !S_ISDIR(sb.st_mode)) goto cleanup;
+
+/* emulate openat */
+if (fchdir(dir_fd) != 0) goto cleanup;
+base_fd = open(CS base, O_RDONLY | base_flags);
+if (fchdir(cwd_fd) != 0)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
+
+if (base_fd >= 0)
+ {
+ char line[sizeof(pid_line)];
+ ssize_t len = -1;
+
+ if (fstat(base_fd, &sb) != 0 || !S_ISREG(sb.st_mode)) goto cleanup;
+ if ((sb.st_mode & 07777) != base_mode || sb.st_nlink != 1) goto cleanup;
+ if (sb.st_size < 2 || sb.st_size >= (off_t)sizeof(line)) goto cleanup;
+
+ len = read(base_fd, line, sizeof(line));
+ if (len != (ssize_t)sb.st_size) goto cleanup;
+ line[len] = '\0';
+
+ if (strspn(line, "0123456789") != (size_t)len-1) goto cleanup;
+ if (line[len-1] != '\n') goto cleanup;
+ lines_match = len == pid_len && strcmp(line, pid_line) == 0;
+ }
+
+if (operation == PID_WRITE)
{
- if ( fgets(CS big_buffer, big_buffer_size, f)
- && Ustrcmp(daemon_pid, big_buffer) == 0
- )
- if (Uunlink(pid_file_path) == 0)
+ if (!lines_match)
+ {
+ if (base_fd >= 0)
{
- DEBUG(D_any)
- debug_printf("%s unlink: %s\n", pid_file_path, strerror(errno));
- }
- else
- DEBUG(D_any)
- debug_printf("unlinked %s\n", pid_file_path);
- fclose(f);
+ int error = -1;
+ /* emulate unlinkat */
+ if (fchdir(dir_fd) != 0) goto cleanup;
+ error = unlink(CS base);
+ if (fchdir(cwd_fd) != 0)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
+ if (error) goto cleanup;
+ (void)close(base_fd);
+ base_fd = -1;
+ }
+ /* emulate openat */
+ if (fchdir(dir_fd) != 0) goto cleanup;
+ base_fd = open(CS base, O_WRONLY | O_CREAT | O_EXCL | base_flags, base_mode);
+ if (fchdir(cwd_fd) != 0)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
+ if (base_fd < 0) goto cleanup;
+ if (fchmod(base_fd, base_mode) != 0) goto cleanup;
+ if (write(base_fd, pid_line, pid_len) != pid_len) goto cleanup;
+ DEBUG(D_any) debug_printf("pid written to %s\n", pid_file_path);
+ }
}
else
- DEBUG(D_any)
- debug_printf("%s\n", string_open_failed("pid file %s", pid_file_path));
+ {
+ if (!lines_match) goto cleanup;
+ if (operation == PID_DELETE)
+ {
+ int error = -1;
+ /* emulate unlinkat */
+ if (fchdir(dir_fd) != 0) goto cleanup;
+ error = unlink(CS base);
+ if (fchdir(cwd_fd) != 0)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
+ if (error) goto cleanup;
+ }
+ }
+
+success = TRUE;
+errno = 0;
+
+cleanup:
+if (cwd_fd >= 0) (void)close(cwd_fd);
+if (dir_fd >= 0) (void)close(dir_fd);
+if (base_fd >= 0) (void)close(base_fd);
+return success;
+}
+
+
+/* Remove the daemon's pidfile. Note: runs with root privilege,
+as a direct child of the daemon. Does not return. */
+
+void
+delete_pid_file(void)
+{
+const BOOL success = operate_on_pid_file(PID_DELETE, getppid());
+
+DEBUG(D_any)
+ debug_printf("delete pid file %s %s: %s\n", pid_file_path,
+ success ? "success" : "failure", strerror(errno));
+
exim_exit(EXIT_SUCCESS);
}
{
int pid;
-DEBUG(D_any) debug_printf("SIGTERM seen\n");
+DEBUG(D_any) debug_printf("SIGTERM/SIGINT seen\n");
#if !defined(DISABLE_TLS) && (defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT))
tls_watch_invalidate();
#endif
}
+
+
+static void
+add_listener_socket(int fd, fd_set * fds, int * fd_max)
+{
+FD_SET(fd, fds);
+if (fd > *fd_max) *fd_max = fd;
+}
+
/*************************************************
* Exim Daemon Mainline *
*************************************************/
void
daemon_go(void)
{
-struct passwd *pw;
-int *listen_sockets = NULL;
-int listen_socket_count = 0;
-ip_address_item *addresses = NULL;
+struct passwd * pw;
+int * listen_sockets = NULL;
+int listen_socket_count = 0, listen_fd_max = 0;
+fd_set select_listen;
+ip_address_item * addresses = NULL;
time_t last_connection_time = (time_t)0;
int local_queue_run_max = atoi(CS expand_string(queue_run_max));
DEBUG(D_any|D_v) debug_selector |= D_pid;
+FD_ZERO(&select_listen);
if (f.inetd_wait_mode)
{
listen_socket_count = 1;
if (setsockopt(3, IPPROTO_TCP, TCP_NODELAY, US &on, sizeof(on)))
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to set socket NODELAY: %s",
strerror(errno));
+
+ FD_SET(3, &select_listen);
+ listen_fd_max = 3;
}
for those OS for which this is necessary the first time it is called (in
order to perform an "open" on the kernel memory file). */
- #ifdef LOAD_AVG_NEEDS_ROOT
+#ifdef LOAD_AVG_NEEDS_ROOT
if (queue_only_load >= 0 || smtp_load_reserve >= 0 ||
(deliver_queue_load_max >= 0 && deliver_drop_privilege))
(void)os_getloadavg();
- #endif
+#endif
}
for (ipa = addresses, sk = 0; sk < listen_socket_count; ipa = ipa->next, sk++)
{
BOOL wildcard;
- ip_address_item *ipa2;
- int af;
+ ip_address_item * ipa2;
+ int fd, af;
if (Ustrchr(ipa->address, ':') != NULL)
{
wildcard = ipa->address[0] == 0;
}
- if ((listen_sockets[sk] = ip_socket(SOCK_STREAM, af)) < 0)
+ if ((listen_sockets[sk] = fd = ip_socket(SOCK_STREAM, af)) < 0)
{
if (check_special_case(0, addresses, ipa, FALSE))
{
#ifdef IPV6_V6ONLY
if (af == AF_INET6 && wildcard &&
- setsockopt(listen_sockets[sk], IPPROTO_IPV6, IPV6_V6ONLY, CS (&on),
- sizeof(on)) < 0)
+ setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0)
log_write(0, LOG_MAIN, "Setting IPV6_V6ONLY on daemon's IPv6 wildcard "
"socket failed (%s): carrying on without it", strerror(errno));
#endif /* IPV6_V6ONLY */
is being handled. Without this, a connection will prevent reuse of the
smtp port for listening. */
- if (setsockopt(listen_sockets[sk], SOL_SOCKET, SO_REUSEADDR,
- US (&on), sizeof(on)) < 0)
+ if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0)
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "setting SO_REUSEADDR on socket "
"failed when starting daemon: %s", strerror(errno));
/* Set TCP_NODELAY; Exim does its own buffering. There is a switch to
disable this because it breaks some broken clients. */
- if (tcp_nodelay) setsockopt(listen_sockets[sk], IPPROTO_TCP, TCP_NODELAY,
- US (&on), sizeof(on));
+ if (tcp_nodelay) setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on));
/* Now bind the socket to the required port; if Exim is being restarted
it may not always be possible to bind immediately, even with SO_REUSEADDR
for(;;)
{
uschar *msg, *addr;
- if (ip_bind(listen_sockets[sk], af, ipa->address, ipa->port) >= 0) break;
+ if (ip_bind(fd, af, ipa->address, ipa->port) >= 0) break;
if (check_special_case(errno, addresses, ipa, TRUE))
{
DEBUG(D_any) debug_printf("wildcard IPv4 bind() failed after IPv6 "
"listen() success; EADDRINUSE ignored\n");
- (void)close(listen_sockets[sk]);
+ (void)close(fd);
goto SKIP_SOCKET;
}
msg = US strerror(errno);
else
debug_printf("listening on %s port %d\n", ipa->address, ipa->port);
+ /* Start listening on the bound socket, establishing the maximum backlog of
+ connections that is allowed. On success, add to the set of sockets for select
+ and continue to the next address. */
+
#if defined(TCP_FASTOPEN) && !defined(__APPLE__)
if ( f.tcp_fastopen_ok
- && setsockopt(listen_sockets[sk], IPPROTO_TCP, TCP_FASTOPEN,
+ && setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN,
&smtp_connect_backlog, sizeof(smtp_connect_backlog)))
{
DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
f.tcp_fastopen_ok = FALSE;
}
#endif
-
- /* Start listening on the bound socket, establishing the maximum backlog of
- connections that is allowed. On success, continue to the next address. */
-
- if (listen(listen_sockets[sk], smtp_connect_backlog) >= 0)
+ if (listen(fd, smtp_connect_backlog) >= 0)
{
#if defined(TCP_FASTOPEN) && defined(__APPLE__)
if ( f.tcp_fastopen_ok
- && setsockopt(listen_sockets[sk], IPPROTO_TCP, TCP_FASTOPEN,
- &on, sizeof(on)))
+ && setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &on, sizeof(on)))
{
DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
f.tcp_fastopen_ok = FALSE;
}
#endif
+
+ add_listener_socket(fd, &select_listen, &listen_fd_max);
continue;
}
DEBUG(D_any) debug_printf("wildcard IPv4 listen() failed after IPv6 "
"listen() success; EADDRINUSE ignored\n");
- (void)close(listen_sockets[sk]);
+ (void)close(fd);
/* Come here if there has been a problem with the socket which we
are going to ignore. We remove the address from the chain, and back up the
if (f.running_in_test_harness || write_pid)
{
- FILE *f;
-
- set_pid_file_path();
- if ((f = modefopen(pid_file_path, "wb", 0644)))
- {
- (void)fprintf(f, "%d\n", (int)getpid());
- (void)fclose(f);
- DEBUG(D_any) debug_printf("pid written to %s\n", pid_file_path);
- }
- else
- DEBUG(D_any)
- debug_printf("%s\n", string_open_failed("pid file %s", pid_file_path));
+ const enum pid_op operation = (f.running_in_test_harness
+ || real_uid == root_uid
+ || (real_uid == exim_uid && !override_pid_file_path)) ? PID_WRITE : PID_CHECK;
+ if (!operate_on_pid_file(operation, getpid()))
+ DEBUG(D_any) debug_printf("%s pid file %s: %s\n", (operation == PID_WRITE) ? "write" : "check", pid_file_path, strerror(errno));
}
/* Set up the handler for SIGHUP, which causes a restart of the daemon. */
sigterm_seen = FALSE;
os_non_restarting_signal(SIGTERM, main_sigterm_handler);
+os_non_restarting_signal(SIGINT, main_sigterm_handler);
/* If we are to run the queue periodically, pretend the alarm has just gone
off. This will cause the first queue-runner to get kicked off straight away. */
tls_daemon_init();
#endif
+/* Add ancillary sockets to the set for select */
+
+#ifndef DISABLE_TLS
+if (tls_watch_fd >= 0)
+ add_listener_socket(tls_watch_fd, &select_listen, &listen_fd_max);
+#endif
+if (daemon_notifier_fd >= 0)
+ add_listener_socket(daemon_notifier_fd, &select_listen, &listen_fd_max);
+
+listen_fd_max++;
+
/* Close the log so it can be renamed and moved. In the few cases below where
this long-running process writes to the log (always exceptional conditions), it
closes the log afterwards, for the same reason. */
for (;;)
{
- #if HAVE_IPV6
- struct sockaddr_in6 accepted;
- #else
- struct sockaddr_in accepted;
- #endif
-
- EXIM_SOCKLEN_T len;
pid_t pid;
if (sigterm_seen)
signal(SIGHUP, SIG_DFL);
signal(SIGCHLD, SIG_DFL);
signal(SIGTERM, SIG_DFL);
+ signal(SIGINT, SIG_DFL);
/* Re-exec if privilege has been given up, unless deliver_drop_
privilege is set. Reset SIGALRM before exec(). */
if (f.daemon_listen)
{
- int lcount;
- int max_socket = 0;
+ int check_lsk = 0, lcount;
BOOL select_failed = FALSE;
- fd_set select_listen;
-
- FD_ZERO(&select_listen);
-#ifndef DISABLE_TLS
- if (tls_watch_fd >= 0)
- {
- FD_SET(tls_watch_fd, &select_listen);
- if (tls_watch_fd > max_socket) max_socket = tls_watch_fd;
- }
-#endif
- if (daemon_notifier_fd >= 0)
- {
- FD_SET(daemon_notifier_fd, &select_listen);
- if (daemon_notifier_fd > max_socket) max_socket = daemon_notifier_fd;
- }
- for (int sk = 0; sk < listen_socket_count; sk++)
- {
- FD_SET(listen_sockets[sk], &select_listen);
- if (listen_sockets[sk] > max_socket) max_socket = listen_sockets[sk];
- }
+ fd_set fds = select_listen;
DEBUG(D_any) debug_printf("Listening...\n");
errno = EINTR;
}
else
- lcount = select(max_socket + 1, (SELECT_ARG2_TYPE *)&select_listen,
+ lcount = select(listen_fd_max, (SELECT_ARG2_TYPE *)&fds,
NULL, NULL, NULL);
if (lcount < 0)
while (lcount-- > 0)
{
int accept_socket = -1;
+#if HAVE_IPV6
+ struct sockaddr_in6 accepted;
+#else
+ struct sockaddr_in accepted;
+#endif
if (!select_failed)
{
#if !defined(DISABLE_TLS) && (defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT))
- if (tls_watch_fd >= 0 && FD_ISSET(tls_watch_fd, &select_listen))
+ if (tls_watch_fd >= 0 && FD_ISSET(tls_watch_fd, &fds))
{
- FD_CLR(tls_watch_fd, &select_listen);
tls_watch_trigger_time = time(NULL); /* Set up delayed event */
tls_watch_discard_event(tls_watch_fd);
break; /* to top of daemon loop */
}
#endif
- if ( daemon_notifier_fd >= 0
- && FD_ISSET(daemon_notifier_fd, &select_listen))
+ if (daemon_notifier_fd >= 0 && FD_ISSET(daemon_notifier_fd, &fds))
{
- FD_CLR(daemon_notifier_fd, &select_listen);
sigalrm_seen = daemon_notification();
break; /* to top of daemon loop */
}
- for (int sk = 0; sk < listen_socket_count; sk++)
- if (FD_ISSET(listen_sockets[sk], &select_listen))
+ while (check_lsk < listen_socket_count)
+ {
+ int lfd = listen_sockets[check_lsk++];
+ if (FD_ISSET(lfd, &fds))
{
- len = sizeof(accepted);
- accept_socket = accept(listen_sockets[sk],
- (struct sockaddr *)&accepted, &len);
- FD_CLR(listen_sockets[sk], &select_listen);
+ EXIM_SOCKLEN_T alen = sizeof(accepted);
+#ifdef TCP_INFO
+ struct tcp_info ti;
+ socklen_t tlen = sizeof(ti);
+
+ /* If monitoring the backlog is wanted, grab for later logging */
+
+ smtp_listen_backlog = 0;
+ if ( smtp_backlog_monitor > 0
+ && getsockopt(lfd, IPPROTO_TCP, TCP_INFO, &ti, &tlen) == 0)
+ {
+# ifdef EXIM_HAVE_TCPI_UNACKED
+ DEBUG(D_interface) debug_printf("listen fd %d queue max %u curr %u\n",
+ lfd, ti.tcpi_sacked, ti.tcpi_unacked);
+ smtp_listen_backlog = ti.tcpi_unacked;
+# elif defined(__FreeBSD__) /* This does not work. Investigate kernel sourcecode. */
+ DEBUG(D_interface) debug_printf("listen fd %d queue max %u curr %u\n",
+ lfd, ti.__tcpi_sacked, ti.__tcpi_unacked);
+ smtp_listen_backlog = ti.__tcpi_unacked;
+# endif
+ }
+#endif
+ accept_socket = accept(lfd, (struct sockaddr *)&accepted, &alen);
break;
}
+ }
}
/* If select or accept has failed and this was not caused by an
else if ( errno != accept_retry_errno
|| select_failed != accept_retry_select_failed
|| accept_retry_count >= 50)
- {
- log_write(0, LOG_MAIN | (accept_retry_count >= 50 ? LOG_PANIC : 0),
- "%d %s() failure%s: %s",
- accept_retry_count,
- accept_retry_select_failed ? "select" : "accept",
- accept_retry_count == 1 ? "" : "s",
- strerror(accept_retry_errno));
- log_close_all();
- accept_retry_count = 0;
- accept_retry_errno = errno;
- accept_retry_select_failed = select_failed;
- }
+ {
+ log_write(0, LOG_MAIN | (accept_retry_count >= 50 ? LOG_PANIC : 0),
+ "%d %s() failure%s: %s",
+ accept_retry_count,
+ accept_retry_select_failed ? "select" : "accept",
+ accept_retry_count == 1 ? "" : "s",
+ strerror(accept_retry_errno));
+ log_close_all();
+ accept_retry_count = 0;
+ accept_retry_errno = errno;
+ accept_retry_select_failed = select_failed;
+ }
accept_retry_count++;
}
else if (accept_retry_count > 0)
git://git.exim.org / exim.git / blobdiff